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PaLroduction 
Tne following discussion introduces the framework for tne new 
3torage system data recovery design. specifications for the new 
storage system were given in Mf8-110. This bulletin is concerned 
wit! the part of the data recovery task currently teraed 
"salvaging." (The remaining part is backup and retrieval.) Jata 


recovery ecnanisms exist because of imnerfections, odoth in 
aardware and software. [he reason for a salvager redesign is to 
increase two imoortant ‘ultiecs attributes, availaoility and 
reliability. Availability implies that stored data should always 
de dynamically aecessible at tn2 demand of any user, while 
reliability inplies no loss of stored data as well as tne safe 
storage of the security information used to protect tue stored 
data. 


This MT3 proposes a major ecnanze to today's salvaging ooeration. 
[To acaonmnodate storage growth, salvaging will beecone dynamic and 
distributed. fore of the errors corrected by tne salvazger wiil 
o2econ7e user visible, An implementation olan wnicond cehronicalizes 
tne design decisions still to be made is given in tne convanion 
ATB=-221 "Yew Storage System Salvazer Implenentation." In order 
to explain why this AT3's design is being proposed, sone 
oaexzround material is oresented first. 


Storage System Jverview 


As a first order approximation, the Multics storage system can De 
viewed as a logical organization for an array of file naos. fhis 
logical organization ?an b2 oroxen into two darts: directory 
eontrol and storaze v2ontrol. Directory control nandles the 
lotiecal structuring of tne user data and stores the security 
information. A directory consists of obdjects (brancnes, names, 
aels, ete.) whose data is held in structures. Relations anonz the 
oojects are imnlemented dy tnreadinz tne structures tozether. 
Storaze control nanages tne file nad arrays. A file nap is 
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fMultics Project internal workinz documentation, dot to ovpe 
reoroduced or ‘istributed outside the Multics Project. 
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nothninz more than an array of onysically sequenced xeys to the 
stored data. 


Stored data ean de "found" oy only one nethod: lozically 
traversinz throuzgn a nierarcnial structure of dirsectories. Since 
directories nave internal structure, a suceesssful logical 
traverse requires a onysically correct internal structure, Errors 
Nave oeen caused oy Aunan, prodabilistic (hardware), and aven 
eosnic (unknown, such as lightning eausing a o20wer outage) 
actions. 3Seeause only the human ?2ause of these errors gan 
(tneoretically) oe eliminated, error datection and recovery are 
n2tessary. Tne aeecnanisn used for this puroos? currently is tn3 
offline saivager. The system is crashed upon dstection of a4 
error and orrection i8 achieved oy running tas salvazyer \tiu3s 
qaking tae syste2i1 unavailaole for useful work). Such O9eracsoa 
is necessary today, but its cost is too hign for the services 
provided, since most of the directories salvaged have no errors. 


Vew Storage Systen structure 


Tne new 3toraze System (453) solits current directory orancnes 
into two ovoarts, the logical attrioutes and tne Anysical 
attributes. fae onysical attrioutes are stored in a 
self-consistent format, tne volume table of contents entry 
(vtoea) woaichn contains a uid oathnane., The connection vsetween a 
N3S direetory branena and a vtoee is logical in both directions. 
Tnis design is inherently nore costly to process for the salvager 
as well as for tne storage systen because two disk references, 
one for tn2 oranen, the other for the vtocecea, are often necessary 
wnere2 one sifficed noreviously. 

Projecetinzt the present salvazer's operation into a N55 format 
gives runninz tine estinates of 5 hours for a 19) disx drive 
systen. Perforninz the same ooeration with a mnulti-process 
salvazter could cut this time down dy 1/2 to 1/10 depending on the 
hardware configuration. Jnfortunately, the near future capacity 
doudlinz of the 435JI4908s makes even the nulti-process adproaca 
unacceotapole. 


Current directory control is coded witn the assumotion tnat 
threads and relative oointers are always valid. fhus a prief 
deseriotion of the salvazger's action would be that its  orimary 
ouroose i3 only to orevent faults on tnread and relative? oointer 
references, A walktnrougn of tne salvazer code reveals taat 
directory control relies on few of the otaer parts of a directory 
object's structure, Jther denerits derived fron salvazing are 
garbage collection (directory compaction and tne freeing of soace 
used by process directories and uardcore segments), and quota 


VeErirication, Sone eross-cne2King on acl structures and 
access-class relationships is done in an attenpt to establisa 
security non-comnpromise, 


Tne sS3alvazer also checks for reused addresses by recording all 
nage assignnents in a new free storaze nao wnicn replaces the old 
one at the end of salvaging. T2is task nas been solit out of the 
directory salvazer by the w35 design, sinee every volume (disk 
pack) now contains its own nap. & Salvate oneration over a volume 
will oe verformed oy a volume salvazer, to de descrined later. 


Terminology 


sefore proceeding any further, definitions must de ziven for the 
terms used. The tern "salvaginz" is mnisleading in its innate 


e 


deseriotion of the current code's function, sinee an operational 


deseriotion is mostly "directory enscking" witna correction 
dQeturring infrequently. wnen "Salvazer" is used it it will refer 
to 06©6fodav's operation, ror tne oprooosed design, conpound terns 


will oe ased to nore clearly indicate which operations are seinz 


disegussed, 


"Jirectory ecneckinzg" is defined as tnat code whien detects errors 
in directories. "Directory salvager" defines that eode whieca 
2orrects and comoacts directories, "Connection sheecxinz" refers 
to that code whien enecks branen-vtoce e2onnections. "Yoluns 
BSalvazer" refers to that code which perforys garoage collection 
Qn a volune. 


Soecifications for tne Directory Salvaze 
Tne directory salvager is first viewed as a olaecx odox with 


input, output, and environnental specifications, [he following 
deseribes the input and output constraints: 


iw Tne inout is a bit strinz and sone (read only) context 
predicates. : 
es Tne outout is a valid directory (tnis ineludes a nali 


directory). 


5% siven a valid directory as inodut, the outout is tne 3ane 
valid directory. This ean ove ealled the non-d2struction 
rule. 


a. Qptionally, given a valid directory and a length as 
input, the output is a valid directory whicno in2ludes 
the input valid directory as a sudset. YJalid objects 
that exist within the input lenztn will b2 connected to 
tne appropriate dlaces, This is the reclaimation 
option. 


4, If an invalid directory ooject is found, tnen it will be 
ecnanzged to. oe valid only if no sscurity econoronise can 
oceur. [If it is enanzged then a possible loss of -e?orresctness 


Page 4 AT3-220 


will oe indicated. OJtaerwise, it will be discarded. [ni 
is tne objeet acceptance criterion and the inverse is ta 
diseard oriterion., 


A few words about the use of tne words "validity" and 
"correctness" are in order, An obdject is correct if its data has 
not ecnanzed by any means otner tnan oy user ealls to storaga 
systen entry ooints that are orovided soecifically to chanze tne 
data. (Correct data is simoly data that has not been clodberead 
oy tne system.) Only certain correctness losses are detectable. 


An object is valid if its structure conforms to tne rules that 
are imolicitly tiven oy the storage systen inplenentation. 4 
mininun s2t of validity rules is defined oy a particular 
iaolementation, The directory salvazer can, of course, validata 
all oossible structural parts, guaranteeing validity irresvoective 
of anv storaze imolementation cnanges, [This axtra chneesing 
guarantees that all errors (clobdbderings) which snan ootn data 
and structure will, if vossible, oe detected. Tnus tae 
Nrobaodility of detectins correctness losses is inereased., 


Design Basics 


Clearly, it is only necessary to reduild directories that nave 
errors in then. All other reounildinz is wasteful and adds to tns 
cost of tne service. If tne goal of service continuity is dut 
aside for the moment, it would oe accenotadle to reouild only tne 
one direectory that e?aused a crash, In the current salvazter, 
consideration of reliability and tarbdage collection had nade us 
willing ie soend tne orocessing time required to salvage all 
directories, in tne belief tnat otner inconsistencies nignt exist 
and would cause erasnes snortly into the next ovoootloai. 42 
cannot afford sucn action on larger nierarchies Detause salvazinz 
time inereases linearly with the size of tne hierarony. 


er loox into the use of the current salvager at external 
5s reveals another puroose, that of restoring tne confidences 
l1 in an "intact" hierarchy back to 1006. (Here "intact" ij 
ad to convey the ideas of correctness and validity.) 


Gs 


It is proposed that directory structure checking osecone an 
integral feature of the online operation of directory control and 
tnat the aotion of a s3enarate salvazer subsysten ve dropoed., 
Brror detection will ve done dynanically, and corrections will be 
done by online reoduildinz. Dynamic cnecking can oe visualized as 
tne bdbreakinzg uo of the current salvager into two parts, 

catterinz tne eneckxing function tnroughout directory control, 
and retaining the directory rebuild function. A salvaze of tne 
entire nierareny will still ve possible, but will oe rarely used. 


[Ine econonics of dynamic checking indicate that it wili oe sore 
expensive than today's offline strategy on s3taodle ”ardware 
configurations with snall disk compiements. Part of tnis cost can 


de written off as that necessary for utility operation; i.e. with 
dynamic ecnaecxinzt and online reouiidinzg, tne nean tine between 
failures should inerease, ani down time mninimized to that 
necessary to repair failures not caused oy tne storag2 system. 
Also tne checks are aopolied in jirect seo aco aac the activity 
or a directory; a uiescent directory is not cheexed. A 
Significant cost reduction will be made oy alterinz structures to 
deerease ecneckint time and to inerease arror dJeteation 
SPOUSE LIT CY s Sinee tnesea e@osts tan only de tiven in dalloarx 
figures today, oart of the design process will be to measure the 
aotual costs on a adsSS systen before decidint wnat enecxing 18 
Viaodle. 


BEnvironnent 


Tne environment of the directory salvazer is considered next. As 
is trues for tne offline salvager, tne directory s3alvager relies 
On gorrectly funectioninz lower level machines. 80th today's 
Salvazer and the ASS directory salvazer assune tnat hardware, 
page control, and the syserr neenanisn work. [In addition, tne 
directory salvazter will assume tnat directory loekinz is also 
funetioning., [nese assunotions can be nade safely as long as 
errors from, lower level macnines. are: 6ither sorocessed in: jne 
lower level machine or are random. 4 ranion error distrioution 
Ziaarantees that tne directory salvazer will eventually run during 
a tiie oeriod when no errors scecur, and therefore will return 4 
valid dirsetory,. 


AS inSurance azainst non-randon errors that are not detected ody 
tne directory salvazger, a small array of invoeation times and 
errors found will be kent in avery directory neader. If the 
directory salvazer is invoked too frequently, it will inform the 
operator that a »ossidle loop exists. 4 review of the errors 
found should help in determining whether hardware or software is 
susoeat, 


Phe ability for a boot to always get t9 econmand level i3 an 
imoortant factor in the confidence Level in ‘lultics. Tne offline 
3alvazer's contribution aere was to guarantee structurally valid 
libraries. Tne equivalent confidenee in the naw Storage System 
Will be aenieved as fPollows: Part of every poot will be to run 
tne volume salvager over tne root's onysical volun? and to 
directory salvaze tne root, oOsysten_control_1, and any other 
important 3svsten libraries, frne inelusion of salvating as an 
integral part of Aulties boot relies on a nardeoore oartition as 
proposed in “T38-213. If the answerinz service cannot oe started, 
a reload of the primary system lioraries could be oerforned. 
Jnee command level is reacned, every site is at liverty to 
specify more ecnecking in its startup sequence, 


Page 9 AT 3-220 


Distribduted Tneoxing 


So far tne directory salvager aas Deen viewed as a black pox. fhe 
followinz section descrioes tne snecific checks and structure 
enanges that are oroposed. 


At the end of each structure a cheoxksin field and an owner field 
will be added. The owner field will contain tne directory uid 
for direstory threaded objects, and the entry ocaid for entry 
threaded objects. 4 length field and an object type field will be 
added to the front of eacn odject. t@acn threaded list will nave 
a unique count of the nunoer of nenbers in tne list. Since tnis 
is already tru2 for all lists 2xcant initial acls, the initial 
acl total count will be reoslaced by an array of individual list 
eounts. 


[Therefore all directory odjects will have the followings fornat: 


Based on directory structure statistics at A4LT, the pronosed 
Structure mnodifieations vould inerease an averazse directory ov 


PAG 


Si. 


The following 2gheexs can be rade oy anand ot eontrol. mwacn 
eneck can od2 made independently of the others thus the ee 
installation will have the most viable ern es as deterninel 
by cost/nerformance studies outlined in MTB-221. 


l storage systen orocedures that ealculate relative 

to eneck if the address is 0 Sefore using it. In 
es this can oe done by adding one instruction when 
o relative nointers. for prover oneration, the end 
1 thread will be sons value otner than 2. 


Ve cshanze 
3 


os All directory objeeats will have a type id in tieir 
structures, All references to a tnread pointer or to tre 
itea itself, will first cnecx for the eorrec tyo2 value. 
This eneek will orobably add three instructions to evary 
reference, I1 2 Sinilar manner, tne Lengtn and owner fields 
can be onecxed. 


Ss 4 For all directory objects, tenolates are forned whiecn test 
all tne gonstant pits. ASCLI data this would translate 
to testing the first two 5b of each enaratter to be J. For 
directory headers ind 3 this would translate to 

l 


5 
rie 
testint that all oad fie eaaain sd J. [nese 2neecks can 3e 


d 
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imolemented via extended instru2ztions and a test. Temnnlate 
enecking will first de used py tne directory salvazer wnoen 
reoguilding a directory. 

4, finally, eacn oovject will nave a eneexsun stored alonz witn 


its data. A eneexsun @alculation would take as many 
instructions as the lenzta of the odject olus two ore for a 
conparison and transfer, ‘ne cost of storing a cheexsun wnen 
an ooject is created or cnanzed is negligible if we assune 
tnat the nunber of directory references is much greater than 
tne nunder of directory modifications; tnus it snould be 
ealeculated along witn each nodification and used oy the 
directory salvager. Checksuns will ve calculated for only 
the relatively constant data fields in a structure, not for 
items suen as date-time-used. 


An easily implemented installation option would be to tennlate 
and/or checksum all access nanes during an access mode 
calculation, Access_mode already references exceotion oits in ths 
ods and taus would require only two or tnree extra instructions 
to enecx anotner exeeotion dit. 


ACL Errors 


When an acl error occurs, the current directory strategy of 
snaring aecess nanes ereates oproplams in retaining any 
information fron tae valid acl entries. All acls tnat share a 
oad aceess name must oe deleted as no Secure nethod exists for 
-nrotectinz the integrity of an acl. It is proposed that an acl 
Out-of-service condition be sudported oy the storage systen. 
Raolacement of tne acl would o2@ reguired to turn on service. But 
tne nane sharing strategy nas often produced nany (if not all) 
invalidated aels in a directory. Thus multipole corrections for 
one error are required. If acl errors are frequent enough in Ws55 
then snaring of access names should os dropoed. This enangze 
would also aave tns beneficial effect of localizing all oranea 
attrioutes, tnus reducing oage faults. 3aarinz within a branca 
would still pe supoorted. 


st of not sharing ael nanes is ratner nign, witn an average 
e in directory size of 45%. Even if tne savings obtained 
duced oage faults (due to tne localization of the acl) are 
d, tne sun will still snow a cost increase, Recovery of 
t 
Ss 


OM Ww 


increase could be accomolisned oy imolenentinz variandle 
n tables, 
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Directory Control Cnange 


AS well as type and owner field cheexing, certain bounds and 
eross 2hneexs of structure values will oe added to directory 
control wnen it is in the exolicit interest of a vorocedure to 


Page 3 MT8=229 


decrease its gullibility. several cnecxs of tnis kind already 
exist; for exannple when acls are listed, tne nunbder fourd in the 
acl list is connared to tne count in tne orancna. 


Currently the count of sharers xkeot witn each acl name is used to 
Allow deletion of the name. If the count was incorrect, tnen 
reassignment of the name slot would changes a person or 2roject 
name on several aecls. Yor tnis reason, it is proovosed thit access 
nanes not be freed until a reduild is performed. A perepence to a 
nane witn a zero sharing count will be one mors forn of error 
detection. 


vireetory Allocation 


A simolification to tne directory allocation scneme is proposed, 
Instead of maintaining several, different fixed size fres lists, 
all allocation requests will be vdlaced at tne end of a directory. 
Slots that are freed will be zeroed and not reused. A total of 
the freed soace will o@ kent so that tne necessity of connaction 
ean o@ deternined. fais stratez nas tne desired effeat of 
isolatint tne introduction of errors, for examole, a new orancna 
will have its aanes and acls onysically as well as logically 
attaoned. In ease of nodifications (deletions and additions), not 
reusing the freed slots allows the detection of cross threading 
errors, somnethinz th2 current salvazer does not eneex. ITnus we 
are introducing segregation in an attemnt to lessen the occurance 
of errors that spill over (affect nore tnan one branch). 


Now that allocation can accept any reasonable size request, links 
ean be stored more conoactly. 4lso tne introduction of -° new 
objects into a directory need not consider the aurrent block size 
linitations, Chanzinz sizes of currant structures is also 
facilitated. ITnolicit in this sugzestion is tnat directory space 
manazgenent will be done inline by directory control oecause it is 
so sinple. If variable size allocation is adapted, then the 
proposed new directory structures would only increase an average 
directory's size ody 954 ratn2r tnan 5%. If variable size naasn 
taodles are imolenented, then a net size decrease of 39% gould 29e 
acnieved. 


Trigzering reouilds 


dnenever tne freed soace total and tne count of directory 
attribute nodifications exceeds sone threshrhold, tne directory 
Salvager will be invoxed to perforn a rebuild. dere we nave 
achieved the desired oronoerty that tne more a directory is 
nodified, the nore often it is validated. [t is not necessary to 
eount directory read operations becaise the new storate 


ze systen 
design does rot require any directory modifications in order to 


read (searan) directories, 


For dynamically detected errors, tne necnanis1a used to trigger 
the directory salvazger is ia Pollowinzg: whenever a directory is 
locked, a nandler for the "invalid directory condition is set uo 
to eall the directory salvager. After tne reouilding, control is 


transferred to tne statement followinz tha loecx eall, thus 
repeating the function on the rebuilt directory. Internal 
directory control procedures need only signal whenever an error 
is found. All orocedures wniecn lock directories must be checked 
for eode whicn will operate properly .when vrestarted after the 
lock call - for instance, variadles assigned before the loc« call 
Cannot de reassigned after the lock call. 


Grror Reoorting 


Tne methods used today for reporting errors detected by tne 
Salvazger are inadaquate. Of significant concern to users are 
missing branches, bad nanes, and lost aels. Althouzgn the 
Salvager prints all detected errors, no metnod exists for 
distrioutinz tnese messages or issuint warnings. [nere is also a 
problem in deciding woo should reecsive tne nessages. 


Both the directory salvager and the volune salvager will use tne 
syserr mecnanisn for recording errors, as tne syserr loz is the 
permanent record of syste events (especially detected failings). 
The loz ean be processed online in order to detect error datterns 
and maybe even predict hardware failures. To reflec errors: tO 
users, flags will be set. 3ad nanes and nissinz dranch flags 
Will o@ set in the directory neader waile an invalid acl flag 
will de set in the odDranch. The current action of deleting 
invalid acls will be changed to retain tne acl for iisting 
jQur90se3. Directory control will treat tn2 invalid acl flaz as if 
tne ael was null (acl out-of-servie2). Ine invalid acl flag ¢an 
be turned off py either deletinz tne entiré acl or renlacinzg it. 
Yo agtion for missing names and branecnes is currently olanned, as 
these are relevant to Multics searcen rules and could affect every 
2238S. For exanole, if a nane was aissinz in >35S tnen every 
ee mignot oe stopped until the flaz was raset. In tne future 
errors e?ould become visiole oy cnanzing tne searen or suen 
vee ories to signal some condition, [he default action would 
oe to ignore tnis signal. 


Storage Tontrol 
storazte control errors are aandled sy a volunae salvager. [he 


input and outout soecifications for tne volume salvager are as 
PolL.lows: 


Wg Tne inout is the string of dits tnat comprise a volume. 
ae The output is a valid naw storage Systen format volume. 
3% given a valid storage volune, tne sane storage volume is 


returned, 
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Wea [Tf an invalid vtoece is found, it will be deleted. [If a 
reused address is found ani tne vtocee anvears to be a 
directory, the volume salvazger will invoxe the directory 
salvager on tnis directory. If no errors are found, then 
the oage in question will be awarded to the directory and 
the vtoce set out-of-service, Turning on service to such a 
directory ust be verformed dy an administrator. 


The volune salvazer environment is also similar to tne directory 
salvager's, Ean estadlisnes exclusive control over its sudjects 
(in this ease a disk oack). Also each relies on correctly 
funetioninz lower level mechanisms. Yor the volune salvazer this 
is disk i/o. In the final inolenentation, tne volune salvager 
snould gain control of tne volune via CP. sut for now, a direct 
path to tne disx dim will oe used. 


DIsk Paes 


To aid in eneckinz vtoces, tneir structure will be extend2d to be 
sinilar ES. that of directory objects. The vtoee echeeksun will 
eover only the uid pathanane and the acecess-class, as other vtoce 
fields ecnange too frequently. 


Sinee only a limited reused address cheex can 52 nade by pazea 
control (tne user of vtoeces), volune® eaneckins; would nornally 
occur infrequently. Therefore triggering the volune salvager nas 
to de aecoonplished artificially. One installation option would 
be to salvaze at the time the disx is logically connected, Tnis 
might be judged too eostly ( 1 - 3 ain. oer ASJO4YI0), so that 
seheduled volume salvaztinz 2ould be imolemented for slacK« time 
periods. 


As well as salvaztins all vtoess, tne volume salvager wiil 
reconstruct tne volune 71ad and will eneex for reused addresses. A 
reused address involving a directory will be resolved by asxingz 
the directory salvazer if any errors were founi in salvazing the 
gazes that inelude tne reused address data. A finding of n9 
errors vould -reasult in awardins tne page to tnat directory. If 
errors were found, than the renuilt version of tns2 directory witn 
QA zero vaze would renolace tne oad one, and a retrieval request 
for that directory issued. (A aore detailed daseriotion of 
direetory retrievals will be given in tne bacxuo 173.) A reused 
address on a seatment would ressult in a null address award 
(equivalent to zeroing), an out-of-service indication, and a 
retrieval request. A second pass over tne volute vill be made to 
handle any directories that were the first claimants of reused 
addresses. 


Branen - VIDCVE Connection 


Tne new s3toraze syste1 design includes tne dynaniec enecxing of 
the logieal connection setween tne oranch and vtocs at aativation 
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time. The resolution of an error at tnis time snould be as 
follows: 


ee wneck the vtoece cheexksun. If it is e@orrect tnen nar« tne 
branen as ouneonnseted. aA user encountering an unconnected 
oranen can sither delete it or issue a retrieval request for 
its vtoee, 4 future addition mignt oe to allow scanninz of 
volumes for an unconnected vtoce entry with the nateninz uid 
and upon findinz one, connecting the oraneh to it. 


: If the eheeksun is wrong, then narx tne vtoce out-of-service 
and issue a retrieval request for tnat vtoce. Tne user 
referencing the braneh would receive thse out-of-service 
error imjediately and could try azain at some later time. 


INO 


QJne future extension should de mentioned. whenever a directory 
retrieval is performed, instead of replacing the contents in 
toto, tne version from oackup and the existinz version could be 
logically coaleseed. This would orevent loss of new braneaes. In 
any eases, notice that altnouzh a retrieval can return already 
deleted orancnes, the correct action is taxen at activation when 
a connection misnateh is detected. 


Loons 


in tne effort to oreserve all possible information, we have 
211032! not to delete objects but to marx them as navinz errors, 
and allowinz users to issue retrievals. Unfortunately, tnere is 
no wWarantee that tne retrieved information is correct - in fact 
it aay nave the same error, [nis is a loop whien only a2 user can 
deteat. Tne resolution is that, if necessary, a orevious 200¥ 
retrieval snould be tried, ad infinitun. 


An aoparent loop also exists in the specification of reused 
address processing. Assume tnat the volume salvazer detects a 
reused address when oprocessinzg a directory vtocea. it asxs tne 
directory salvager for sone advice, Sut the directory salvazer, 
in fornulating its opinion, can z9et a reused address signaled 
fron 2age control, and this would invoxe tne voiune salvazer! 
TAIiS se@guenee is prevented fron happening if we insure that all 
ajdresses in a varticular directory are unique (done ody tne 
volume salvager) and that the volune s3alvager has exclusive 
eontrol of the disk oaex (thus 9oage eontrol cannot signal a 
reused address on it). 


Purovosely saved until tne end is the subject of quota validation. 
The elimination of offline salvaginz implicitly drooped this 
funetion, since it ean only be done on quieseant sudtrees. Lt 
could 52 oerforned online only if tnere was a guarantes that this 
was tne only orocess lookinz at tne subtree. One apodroaca to 
achieve this would be to turn on security out-of-service for all 
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components in tne subtree, Jnce we assume or take action to 
provide exclusiveness, a procedure whien sets tne used values in 
an aste must bea orovided. It is sroposed that guota validation 
become a nart of tne administrative mechanisms used in 
determining volume usage cnarges, 


Anile on the subject of enarges, notice tnat the directory 
control eneckinz design has transformed the collective azzrezate2 
cost of offline salvazginz into a orocess assigned "nay as you 
use" voart of tne storage system. for pnysical volumes tnat are 
woolly owned by projects, even the use of tne volume salvazer as 
the garbage collection device is automatically charged to tne 
correct project. | 


sun1aey 
1, The salvager is solit into tnree oarts: a directory oe 
wnoich rebuilds directories, scattered ecnecokinzg in directory 
Seaton anid a volume salvazer whien cheeks for reused 
addresses anil raduilds tne volume mao. 
ar Detected errors are enterel in tne syserr loz, and users are 


notified of errors by out-of-servic2 conditions and error 
Sits in the ‘ilreetory header. 


Be Directory structures are exoanded to oe nore rooust and the 
directory allocation senene is cnanged to taxe advantaze or 
tne directory salvager. Yhe costs for an averazge directory 
are as follows: 


Structure 2nanzes - +35 
variaovle allocation - -3b 
non-si1ared access tanes - +452 
variable size nasn payie - -3)6 


(end) 


